[
https://issues.apache.org/jira/browse/LANG-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17199703#comment-17199703
]
Gilles Sadowski commented on LANG-1607:
---------------------------------------
bq. https://github.com/apache/commons-lang/pull/459
Personally, I saw neither the PR, nor the discussion about it on GitHub.
bq. maintainers a refusing to change the default RNG, and have decided to
handle this as a documentation issue only?
Although people most involved in the development of the "Lang" component of the
"Commons" project participated in the discussion, other "Commons" developers
may have an opinion about this.
The "dev" ML is still the place where actual decisions are made.
> To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
> ----------------------------------------------------------------------------
>
> Key: LANG-1607
> URL: https://issues.apache.org/jira/browse/LANG-1607
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Frank Ch. Eigler
> Priority: Major
>
> In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303] , the
> org.apache.commons.lang3.RandomStringUtils randomAlphanumeric() function is
> used to generate random strings. Because of weaknesses of the default RNG,
> this allows baddies to predict other randomAlphnumeric() results, which in
> this large family of client programs, results in severe vulnerabilities.
> While the class is not documented to be "cryptographically safe", it would be
> prudent to upgrade the default RNG used in these classes to be crypto-usable
> level, such as with the java.security.SecureRandom nextBytes().
> See e.g. this github PR, which is being replicated THOUSANDS of times, in
> order to work around this problem in countless users of this library.
> [https://github.com/elderdb/neptune/pull/1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
